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Abstract The aim of this study is to understand the inherent expressive 
power of GTL operators. We investigate the complexity of model check¬ 
ing for all CTL fragments with one CTL operator and arbitrary Boolean 
operators. This gives us a fingerprint of each CTL operator. The com¬ 
parison between the fingerprints yields a hierarchy of the operators that 
mirrors their strength with respect to model checking. 

1 Introduction 

Temporal logics are a long used and well-understood concept to model software 
specifications and computer programs by state transition semantics. The first 
approaches in this currently quite large area of research go back to Arthur N. 
Prior [^[21]. The logics became more prominent in the 70s and 80s due to sig¬ 
nificant effort of Pnueli, Emerson, Halpern, and Clarke liiiniiin]- Usually one 
distinguishes between three temporal logics: linear time logic LTL, computation 
tree logic CTL, and the full branching time logic CTL*. All these logics are 
defined as extensions of (modal) propositional logic to express properties of com¬ 
puter programs by introducing two path quantifiers A and E, resp., five temporal 
operators neXt, Until, Future, Globally, and Release. Form a syntatctic point of 
view, the three temporal logics differ in the way how the path quantifiers and 
temporal operators may be combined. The computation tree logic CTL allows 
operators that are combined from one path quantifier directly followed by one 
temporal operator. Thus there are ten different CTL operators—e.g., EX or AU. 

The most important decision problems related to temporal logics are the 
satisfiability problem and the model checking problem. The complexity of these 
problems ranges between P and 2EXPTIME and has been classified for the 
general cases Recently the satisfiability problem for all three 

logics has been completely classified with respect to all Boolean and temporal 
operator fragments Ellin], motivated in part by the fundamental work of E. 
Post m on Boolean functions. In the same way, the model checking problem 
for LTL was studied in detail [Tj. The model checking problem for CTL has 
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Figure 1. Overview of complexity results—the model checking fingerprints of the CTL 
operators. 


been deeper understood in [3] who examined the complexity of CTL fragments 
that have arbitrary CTL operators that are combined only with all monotone 
Boolean operators. For model checking, there are seven relevant fragments of 
Boolean operators [1], but only one of these was considered in [3]. 

We aim to fill this gap by classify¬ 
ing the remaining relevant Boolean op¬ 
erator fragments for the computation 
tree logic CTL. More specifically, we 
examine the complexity of CTL model 
checking for all fragments of formulas 
that combine one of the ten CTL op¬ 
erators with one of the seven relevant 
fragments of Boolean operators. With 
our work one can completely charac¬ 
terize all but four of these combina¬ 
tions. Our classifications—informally 
called fingerprints—yield a preorder 
expressing how powerful a CTL oper¬ 
ator is. We say a CTL operator T is 
me-stronger than 7*^ in symbols 1~' if for every set B of Boolean operators 
the model checking problem for the ({T} U B)-fragment of CTL is computation¬ 
ally harder than that for the {{T'} U i3)-fragment. The resulting partial order 
is shown in Figure [3] It can be seen as a generalization of the notion of express¬ 
iveness of CTL fragments m- Whereas the notion of expressiveness deals with 
equivalence of formulas from different fragments, our notion of mc-strength deals 
with equivalence of model checking instances for different fragments. Expressive¬ 
ness is meaningful from a language theoretic point of view, and mc-strength from 
the computational complexity perspective. 



Figure 2. The mc-strength hierarchy of 
CTL operators that relies on their finger¬ 
prints (Fig.[T]). Arrows indicate the relation 
<. Operators X and Y in the same circle 
have the same mc-strength (i.e., X cY and 
Y oX). The hierarchy is proper under the 
common assumptions NL C LOGCFL C P. 



















The paper is organized as follows. At first we introduce syntax and semantics 
of CTL, and we explain the alternating graph accessibility problems that we 
use in our hardness proofs (Section [2|). We visit each CTL operator and show 
its complexity fingerprint (Sections 13.11 and |4|). Finally we conclude with the 
resulting comparison of the mc-strength of CTL operators and an outlook to 
future work (Section [S|). The Appendix contains the missing proofs. 


2 Preliminaries 


2.1 Computation Tree Logic CTL 

Let PROP be a set of atomic propositions. Then the set of all well-formed CTL 
formulas is ip ::= 1 \ p \ p A p \ p V p \ p (B p \ ~^p \ VOp \ pVO'p, for 
p € PROP, V € {A, E}, O € {X, F, G}, O' e {U, R}. We say PO are the unary 
CTL operators EX, AX, EG, AG, EF, AF and PO' are the binary CTL operators 
EU, AU, ER, AR. A Kripke model (for CTL) is a triple (W,R,^), where IT is a 
finite set of states, R'. W ^ W is a, total transition relation (i.e., for aWw&W 
there is aw' with wRw'), and FT —>■ 2^^®^ is an assignment function. 

The semantics of CTL is defined as follows on states. Let A4 = (IT, R,^) be 
a Kripke model. Let n{w) denote the set of infinite paths starting in w € FT 
through (FT, i?), i.e., a path tt e lJ{w) is an infinite sequence tt = 7r[l]7r[2] ■ • • 
with 7r[l] = w and (7r[f], 7r[f -F 1]) G i? for all i >1. 


M,w \= 1 
M,w \= p 
M,w \= 

A4,w \= tp A(j) 
M, w \= ipV (p 

M, w\='ip ®(p 
M,w h EXtp 
A4, w \= EP p 
M, w \=E.Gp 


always, 
iffp G P,{w), 
iff M, 

iff Al, ic \= Ip and M,w \= 4>, 
iff M, w \= Ip OY M, w\= (p, 

iff (Ad, w \='ip and Ad, w (p) oy (Ad, w Y= ip and Ad, w ^ (p), 
iff 3tt G n{w) : Ad, 7r[2] |= p, 


iff 3tt G n(w) 3k >1 
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The remaining CTL operators can be expressed as duals of the above defined 
operators. We have the equivalences AX p = -i EX -up, AF p = -•EG -^p, AG p = 
-iEF-i(/j, ipARp = -'{^ip EU -'p), and ipAUp = -i(-i'0 ER-k^). Moreover, the 
operators EX, EG, EU are a minimal set of CTL operators that together with 
the Boolean operators suffice to express any from the others m, and with 
the Boolean operators A, 0 one can express every Boolean function. For a set 
T C {EX, AX, EG, AG, EF, AF, EU, AU, ER, AR, A, V, 0} of Boolean functions 
and CTL operators, a T-formula is a formula that has operators only from T. The 
T-fragment of CTL is the set of all T-formulas. The model checking problems 
for CTL fragments are defined as follows. 



Problem: CTL-MC(T) 

Description: The model checking problem for T-fragments of CTL. 

Input: A CTL formula (p with operators in T C {EX, AX, EG, 
AG, EF, AF, ED, AU, ER, AR, A, V, -i, ©}, a Kripke model 
M — {W, R, ^), and a state wq € W. 

Question: Does M,wo \= (p hold? 


Usually we will omit the {■} and U in the problem notion for convenience. 

Post m classified the lattice of all relevant sets of Boolean operators—called 
clones —and found a finite base for each clone. The definitions of all clones as 
well as the full inclusion graph can be found, for example, in [4]. Whereas in 
general there is an infinite set of clones, for model checking luckily there are 
only seven different clones [T] depicted in Figure O where we describe the clones 
by their standard bases. (See, e.g., [TS] for more explanations.) 

2.2 Computational Complexity 

We will make use of standard notions of complexity 
theory m- In particular, we will make use of the com¬ 
plexity classes NL,LOGCFL, AC^, and P. 

NL is the class of problems decided by non- 
deterministic logarithmically space bounded Turing 
machines. The typical complete problem is the graph 
accessibility problem for directed graphs REACH 
(given a directed graph with two nodes s and t, is 
there a path form s to t?). LOGCFL is the class of 
problems decided by nondeterministic logarithmically 
space bounded Turing machines, that are additionally 
allowed to use a stack and run in polynomial time. 

AC^ is the class of problems decided by alternating figures. The Boolean 
, 1 1 1 m • 1 . • 1 clones relevant lor model 

logarithmically space bounded luring machines with , , . ^ i i 

° ^ ° checking, represented by 

logarithmically bounded number of alternations. We standard bases, 

will shortly present complete problems for both of denotes the clone repres- 
these classes. In order to prove hardness results, we ented without operator 
will make use of logarithmic space bounded many-one (“identity” of an atom), 
reductions It is known that NL C LOGCFL C 
AC^ C P but not whether any inclusion is strict. 

Clarke, Emerson, and Sistla [7] showed that model checking for CTL is in P, 
and Schnoebelen [22 showed that it is P-hard. 

Theorem 1 (Ellis]). CTL-MC(EX,..., AR, A, V, ©) is P-complete. 

How CTL operators compare with respect to the complexity of model check¬ 
ing, was investigated in |3] in the following way. They completely characterize 
the complexity of CTL-MC(T, A, V) for every set T of CTL operators. They show 
that this complexity is either P-complete or LOGCFL-complete. For singletons 




S C {AF, EG, AU, EU, AR, ER} the problems CTL-MC(S', A, V) are P-complete, 
whereas for all other singletons S C |AX, EX, EF, AG| CTL-MCl^, A, V) is only 
LOGCFL-complete. 


Next, we consider problems that 
we will use for reductions in our hard¬ 
ness proofs. The alternating graph ac¬ 
cessibility problem is shown to be P- 
complete in We use the follow¬ 
ing restricted version of this problem 
that is very similar to Boolean circuits 
with and- and or-gates (and input- 
gates). An alternating slice graph |18) 
G = (P, E) is a directed bipartite 
acyclic graph with a bipartitioning 
V = Pa U Vv, and a further partition¬ 
ing P = PoUPiU- • - LiVm (m-Fl slices, 
P n 1^- = 0 if i ^ j) where 


slice Pi C Pa: 
slice p 3 C P/: 
slice P C Pa: 
slice Pi C P/: 
slice P C Pa: 

s 

Figure 4. An instance (G, s, T) of 
ASGAP(Vout=2, 3in=l). The marked edges 
indicate the witness for apathQ{s,T). 



m — 1 

Pa = [J p and p = [J p, such that A C (J (pxp+i). 

i<m,i even i<m,i odd 2=0 


(All edges go from slice p to slice p+i for i = 0,1,2,... ,m — 1.) All nodes 
excepted those in the last slice Vm have a positive outdegree. Nodes in Pa are 
called existential nodes, and nodes in p are called universal nodes. Notice that 
Pq P P by definition. Alternating paths from node x to nodes in T C Vm are 
defined as follows by the property apathQ(x,T). 


(1) for X G Vm apathQ{x,T) iff a: G T 

(2a) for a: G Pa — Pn : apathQ^x, T) iff G p : (x, z) € E and apathQ^z, T) 

(2b) for a G p — Pn : apathQ{x, T) iff Vx G Pa : if (x, z) G E then apathQ{z, T) 

The problem ASGAP is similar to the alternating graph accessibility problem, 
but for the restricted class of alternating slice graphs. 


Problem: ASGAP 

Description: The alternating slice graph accessibility problem. 

Input: {G,s,T), where G = (Pa U V\/,E) is an alternating slice 
graph with slices Pg, Pi,..., Vm, rn even, and s G Vq, T C 
Vm- 

Question: Does apathQ{s,T) hold? 


We will use also the following variant where the outdegree of V-nodes and 
the indegree of 3-nodes is restricted. 



Problem: ASGAP(Vout=2, 3in=l) 

Description: The alternating slice graph accessibility problem with 
bounded degree. 

Input: {G,s,T), where G = (V 3 U V\/,E) is an alternating slice 
graph with slices Vo,Vi,, Vm, where every node in Vy 
has outdegree 2 and every node in V 3 — Vn has indegree 1, 
and sGVo,TC Vm- 
Question: Does apathQ{s,T) hold? 


ASGAPiog is the set of all elements {G,s,T) of ASGAP, where G is a 
graph with n nodes and m slices such that m < logn. Similarly, the problem 
ASGAP(Vout=2,3in=l)jQg is the subset of ASGAP(Vout=2,3in=l) with graphs 
of logarithmic depth. The following completeness results are straightforward. 

Theorem 2. 1. ASGAP is P-complete [I?] /. 

2. ASGAP(Vont=2, 3in,=l) is P-complete. 

3. ASGAPiog is AC^ -complete fW/ . 

4 . ASGAP(VoMt=2,3i„=l)jQg is LOGCFL-complete. 

A Kripke model (VP, R,^) contains a total graph (VP, R). We will use several 
methods to transform an alternating graph to a graph that appears as (part of) 
a Kripke model. 

If G = {V, E) is an alternating graph with slices Vq, ..., Vm, then G'^ = 
{V'^,E'^) is the total graph obtained from G by adding a singleton slice ip„+i = 
{e} and edges from all nodes in Vm U I4i+i to e. More formally, V^ = V U V^+i 
and E^ = E U {{Vm U {e}) x {e}). 

For instances of ASGAP(Vout=2, 3in=l), we will also apply another trans¬ 
formation. Let G = {V,E) with slices Vo,...,t?m be such an instance. Every 
slice Vi C Vb — Vo consists of nodes with indegree 1. (Remind that node(s) in 
Vo have indegree 0.) Thus Vi C V 3 — Vb can be considered as being partitioned 
into sets P^" := {z; | {u,v) S E} for every u G I?i-i. Then each consists of 
two nodes which can be assumed to be ordered arbitrarily, and we will use the 
notation = {vu,i,Vu, 2 }. 

Let Vi := {v \ V € Vi} he a set of nodes that are “copies” of the nodes of 
Vi. Similarly as Vi for even i > 0 (i.e. Vi C V^ — Vq), Vi is partitioned into sets 
for all u G Vi-i. The graph G^ = {V^,E^) obtained from G is 
defined as follows. (See also Figure [S] for an example.) 

V^^ := V^ U \JZo V) 

E^ := A n V 3 X Vv (The edges leaving 3-nodes are as in G.) 

U {(u,nii 1 ) I u G Vy} (V-nodes have an edge to their “first” successor in 

G.) 

u {{Vu,l,Vu,l), {Vu.l,Vu,2), {Vu,2,Vu,2), (f’«,2,'C«.2) \ U € Vy} 

(From each first sue. Vu,i starts a path Vu,i,Vu,i,Vu, 2 ,Vu ,2 ending in a loop.) 

U {(u, ii), {u,u) I M G Vy U Vq} 

(V-nodes and Vo-nodes u have another edge to u having a loop.) 



We will use the notion of slices also for , even though there are edges 
between nodes in the same slice. The set of nodes is partitioned to G^ = 
UV^ U ...UVl, where slice y> = V^U% 

slice V 4 
slice 


slice 
slice Vi^ 


slice Vo 

Figure 5. The graph obtained from the graph G in Figure |4l The labels in the 
nodes indicate to which partition the node belongs. The marked edges indicate infinite 
paths whose collection “simulates” the witness for apathQ{s,T) in G. 



3 Computation Tree Logic CTL 

3.1 Existential Until ED 

It was shown in [3] that CTL-MC(EU, A, V) is P-complete. We improve this result 
by showing that the Boolean operators are not necessary for the hardness and 
show that CTL-MC(EU) is P-complete (Theorem [3]). Since model checking for 
formulas with EU as single operator reaches the maximal hardness, EU turns 
out to be the hardest CTL operator. We also can conclude that CTL-MC(T) is 
P-complete for every set T of Boolean functions and CTL operators that contain 
EU. 

Technically, the proof of Theorem |3] can be seen as a guide for the P-hardness 
proofs for CTL-MC(ER, V) and for CTL-MC(EG, ©). Since the latter consider 
fragments with a combination of temporal and Boolean operators, their proofs 
are technically more involved, but the basic strategies are similar. 

Theorem 3. CTL-MC(EU) is P-complete. 

Proof. The upper bound P follows from [7]. For the lower bound—P-hardness— 
we give a reduction from the P-complete problem ASGAP(Vout=2, 3in=l). Let 
(G, s,T) be an instance of ASGAP(Vout=2, 3in=l) with G = {V,E) for V = 
V 3 U Vv with slices V = Vb U ... U Un- Let G^ = be the graph obtained 

from G as described in Section 12.21 Using G ^, we construct a Kripke model 
Keu = {V^,E^,^) with assignment ^ as follows (see Figure H] for an example). 






14 u V4: 

V3Ut>3; 


ViUVi: 
Vb U t/o: 



Figure 6. Example for the construction of Keu in the proof of Theorem[3] The marked 
edges indicate the paths according to Claim [d] 


1. < is assigned to every node in T. 

2 . Si is assigned to every node in Vi^ (for i = 0,1,... ,m). 

3. Si is assigned to every node v € Vi with (v, v) ^ (for z = 0,1,..., m). 

4. Ci is assigned to every node v gV with (w, v) G (for z = 0,1,..., m). 

The formulas (j)i are defined inductively for z = m,m—l,...,0as follows. 




t, if z = m. 

Si EU((si+i EU 0i+i) EU Ci+i), if z < m. 


The Kripke model iCEU and the formulas (j)i are constructed in a way that sim¬ 
ulates alternating graphs as follows. Examples for the paths used in the following 
Claim are indicated by marked edges in Figure [ 6 ] 


Claim 4- 1- Let zu G Vi fl V 3 for some i < m. Then Ke\j, w \= (fii il and only if 

there exists a tt G II{w) with 7 r[ 2 ] G Vi+i such that iVEu, 7 r[ 2 ] |= (j)i+i. 

2. Let zc G 14 n Vv for some i < m. Then KevtW \= 4’i if and only if there 
exists a TT G n{'w) with 7 r[2],7r[4] G 14+1 such that iVEU,7’'[2] |= 4n+i and 
LfEU,7r[4] 1= 

Now we only have to use the relation between G and . 


Claim 5. For every i <m and every w G Vi holds: Ke\j,w \= (pi if and only if 
apatliQ^w, T). 

The proofs of the above claims can be found in the Appendix. With Claim [5] 
we get that {G,s,T) G ASGAP(Vout=2, 3in=l) if and only if K£\j,s \= pQ. The 
CTL-MC(EU) instance (ATeu, s, po) can be computed in space logarithmic in the 
size of G. Thus we have shown ASGAP(Vout=2, 3in=l) CTL-MC(EU). □ 

From Theorems [1] and |3] we immediately get the complete characterization 
of the complexity of model checking for fragments with ED—i.e., the model 
checking fingerprint of ED. 


Theorem 6. GTL-MG(EU, B) is P-complete for every B C {- 1 , A, V, ©}. 




























4 The Remaining Existential Operators: Release ER, 
Globally EG, Next EX, and Future EF 

Let us first turn to the case of existential next EX as nothing has to be proven. 
Its model checking fingerprint actually is already known even though it is not 
always stated in the way we do it here. 

Theorem 7. Let B C {-i, A, V, ©}. Then CTL-MC(EX, i?) is 

1. P-complete for B D {-i} or B D {©} 

2. hOGCFL-complete for B = {A, V} or B = {A} and 

3. Tllj-complete for B C {v} (follows immediately from ]15{ Theorem 3.3]). 

For the remainder of the results in this section we have to omit the proofs 
due to space constraints. However the details are all presented in the appendix. 
This section is structured as follows. We will state a model checking fingerprint 
theorem and then start to explain and discuss the results in order to give some 
intuition on the proof technique. Also we will mention some connections between 
the results, e.g., how the overall picture presents. Let us begin with the finger¬ 
print of ER. 

Theorem 8. Let B C {-i, A, V,©}. Then CTL-MC(ER, B) is 

1. P-complete for B D {V} or B f) {-i} or B D {©}, 

2. LOGCFL-hard for B © {A}, and 

3. FOGGFF-eomplete for B = 0. 

The P-completeness of CTL-MC(ER, A, V) is shown in [3]. We improve this 
result by showing P-hardness already for CTL-MC(ER, V). The optimality of 
this hardness result is witnessed by the LOGCFL-completeness of CTL-MC(ER). 
Also observe that this shows that ER is not as powerful as EU. Our results are 
completed by the P-hardness of CTL-MC(ER,-■). Concluding, this shows that 
ER is strictly simpler than EU (unless LOGCFL = P). 

Let us now consider the case of ER with -i. If s is an atom that is satished 
only by a node w and all its successors in a Kripke model AT, and no successor 
of w satishes s, then K,w \= a ER s if and only il K^w ^ EX a. One can use this 
idea to translate the P-hardness proof of CTL-MC(EX, -■) to a P-hardness proof 
of CTL-MC(ER,^). 

We settled complete characterizations of the complexity of CTL-MC(ER, B) 
for fragments with ER as only CTL operator for all B C {-', A, V,©} except 
B = {a}. For CTL-MC(ER, a) we have LOGCFL-hardness and containment in 
P (follows from [3]). A result with matching upper and lower bounds yet remains 
open. 

Turning to the case of existentially globally operator EG, interestingly, this 
operator combines an existential and universal quantification in a single operator. 
This is worth noting as it proves itself as powerful operator from complexity point 
of view. 


Theorem 9. Let B C {-i. A, V,©}. Then CTL-MC(EG,B) is 


1. P-complete for B 3 {A, V} or B {©}: 

2. complete for B C {A} or B C {V} or B C 

It was shown in [3] that CTL-MC(EG, A, V) is P-complete. We prove that this 
result is optimal by showing that CTL-MC(EG, A) and CTL-MC(EG, V) are both 
NL-complete. Further we obtain the same characterization for CTL-MC(EG) and 
CTL-MC(EG,-i). The most intriguing result is the P-completeness of the frag¬ 
ment CTL-MC(EG, 0). One can reduce from ASGAP(Vout=2, 3in=l) but it is 
quite demanding to explicitly argue on the chosen paths depending on the occur¬ 
ring exclusive-ors ©. From the model construction one can easily see similarities 
to the one shown in Figure |6] however one needs additional propositions labelled 
on the states to ensure having control on the paths. 

Theorem 10. Let B C {-i, A, V)®}- Then CTL-MC(EF, i?) is 

1. P-complete for B 0 {A, ©}, 

2. AC^-hard for B D {©}, and 

3. POGGPP-complete for {A} C B C {A, V}> and 

4- l^L-complete for B C {V} or B C {-i}. 

In [3] it is shown that CTL-MC(EF, A, V) is LOGCFL-complete. Since their 
hardness proof does not use V, it follows that GTL-MC(EF, A) is LOGCFL- 
complete, too. Moreover, CTL-MC(EF, AG, A, V) is shown to be P-complete in 
[3]; we get P-completeness for CTL-MC(EF, A, ©). We classified almost all re¬ 
maining cases. We show that the cases CTL-MC(EF), CTL-MC(EF,-■), and 
CTL-MC(EF, V) are all NL-complete. However the most interesting result is 
the AC^-hardness of CTL-MC(EF, ©). There are only very few problems known 
for which AC^ is the best shown lower bound. In fact, Cook asks for natural 
AC^-complete problems, i.e., problems where the AC ^-completeness is not forced 
by some logarithmic bounds in the problem definition. Chandra and Tompa [6] 
show an AC^-complete two-person-game that has AC^ as a straightforward up¬ 
per bound and continue to ask for “less straightforward” AC^-complete problems. 
One such problem is the model checking problem for intuitionistic logic with one 
atom m- The model checking problem for the {EF, ©}-fragment is a very hot 
candidate. Anyway, it seems to be a very challenging question to show whether 
this problem belongs to Cook’s list. 

5 Conclusion 

In this paper we aimed to present a complete complexity classification of all 
fragments of CTL with one CTL operator and arbitrary Boolean functions. An 
overview of the complexity results is given in Figure [T] We stated all our res¬ 
ults for CTL operators that start with the existential path quantifier E. But 
our classification easily generalizes to the remaining CTL operators starting 
with the universal path quantifier A through the well-known dualities. Simply 
said, if CTL-MC(r, H) is complete (resp. hard) for a complexity class C, then 
CTL-MC(dual(T), dual(H)) is complete (resp. hard) for the complement co-C of 


C. Thus, e.g., from the AC^-hardness of CTL-MC(EF, ©) (Theorem fTUl) we imme¬ 
diately obtain AC^-hardness of CTL-MC(AG, ©), and from LOGCFL-complete- 
ness of CTL-MC(EX, a) (Theorem [7]) we obtain LOGCFL-completeness of the 
corresponding GTL-MC(AX, V). Our results can directly be rewritten to deal 
not only with Boolean operators but in a more generalized view with Boolean 
clones as, e.g., in the work of Bauland et al. and Beyersdorff et al. nig. 

The only open cases for which we yet cannot prove matching upper and 
lower bounds are CTL-MC(ER, A) and GTL-MG(EF, ©) and, of course, their 
duals CTL-MC(AU, V) and CTL-MG(AG, ©). Although we could not achieve an 
AG^ upper bound for CTL-MC(EF, ©), we are convinced that such a result seems 
closer than proving P-hardness (or some stronger hardness result than AG^). 

Our classifications can be applied to compare the expressiveness of single 
CTL operators with respect to the complexity of the induced model checking 
problems. 

Definition 11. Let S and T be a set o/CTL operators. We say that T is mc- 
stronger than S (abbreviated as S <iT), if for all sets B of Boolean functions 
holds CTL-MC{S,B) CTL-MC(T,5). 

The reflexive and transitive relation <i for mc-strength compares what we 
informally called the model checking fingerprints of CTL operators. Our fin¬ 
gerprint theorems (Theorems I MTHll yield the hierarchy of mc-strength of CTL 
operators shown in Figure [2l The notion of mc-strength generalizes the notion 
of expressiveness [Tg of CTL operators. For example, since EG a = OERa, ER 
is more expressive than EG. With our notion we obtain also EG<ER. But our 
notion yields more information about differences between several operators. For 
example, EX and ED have incomparable expressiveness, but we obtain EX<iEU. 

A strength-relation like <i can also be defined with respect to the satisfiab¬ 
ility problem—call it sat-strength. Whereas for model checking the set of CTL 
operators is partitioned into seven sets with different mc-strength (see Figure [g, 
from [igiTg it follows that the comparison by sat-strength yields only the fol¬ 
lowing three partitions with increasing strength: {AF, EG}, {EX, AX, EF, AG}, 
and {AU, ED, ER, AR}. The three notions expressiveness, sat-strength, and mc- 
strength intuitively compare as follows. Expressiveness relies on equivalence of 
formulas, sat-strength relies on equisatisfiability of formulas, and mc-strength on 
equisatisfaction of model checking instances. 

Further work should solve the exact complexity of CTL-MC(EF, ©), which 
seems to be a very challenging problem. Moreover, one should study the mc- 
strength of other temporal logics or of pairs of CTL operators. 
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6 Appendix 


6.1 EU 

Proofs for Theorem [3j CTL-MC(EU) is P-complete. 

The basic semantical property of EU that we will use is 
K,w \= aE\} (3 li and only if 

(i) K,w \= (3 or {a) K,w \= a and i^T, u ^ a EU /3 for a successor v of w. (1) 
Claim 12. For all i < m, all nodes w and all j > i holds: ^ (j)j. 

Proof. Let i < m and w € V^. We proceed by induction on j = m,m — 
l,...,i + 1. The base case is clear since t ^ ^{w) and thus Keu,w ^ t{= 
(pm)- For j < m, we have Ke\j,w ^ 4>j+i inductive hypothesis. Assume 
Keo^w ^ Sj EU((.§j+i EU0j+i) EUcj+i) (= (f>j). The next steps use ([T|). From 
Sj ^ ^{w) follows Keu,u! \= {sj+i EU(/)j+i) EUe^+i. From Bj+i ^ ^{w) then fol¬ 
lows Ke\j,w \= Sj+i EU(/)j+i, and from Sj+i ^ ^(w) we conclude Ke\j,w H 4'j+i- 
This contradicts the inductive hypothesis. Thus ATeu, m ^ O 

The Kripke model Keu and the formulas (j)i are constructed in a way that 
simulates alternating graphs as follows. 

Claim [4) 

1. Let re S Vi n Fa for some i < m. Then Ke\j, w \= 4>i if and only if there exists 
a TT G n(w) with 7r[2] G F-i-i sueh that ArEu,7r[2] |= (fi+i. 

2. Let w € Vi C Vi for some i < m. Then Ke\j,w ^ (pi if and only if there 
exists a TT G n{w) with 7r[2],7r[4] G F+i sueh that ArEU!7''[2] |= (pi+i and 
ArEu,7r[4] 1= (pi+i. 

Proof of (1). For the proof direction from left to right, assume Keu,w ^ (pi. 
Since Si G f{w) and Si ^ f{v) for all successors v of w, it follows from ([1]) 
that Keu,v \= (si+i EU^i+i) EU Ci+i for some successor v of w. For v' G V^ 
holds Si+i,ei+i ^ ^{v) and Keu,v' ^ (pi+i IClaim fT^. and using (P) we get 
KeVjv' ^ (si+i EU pi+i) EU Ci+i. Thus there is a successor v G F+i of w with 
Keu,v \= (si+i EU (/fi+i) EU Ci+i- Since Si+i,ei+i ^ ^(v), this means Kev,v |= 
(pi+l- 

For the other proof direction assume ArEu,7r[l] |= Si and ATeUjTtP] ^ <pi+i 
for some tt G II{w) with 7r[2] G F+i- Using ([T]) it follows that ATeUi^tP] \= 
Si+i EU pi+i. Moreover, 7r[2] has a successor u G F+i with Ke\j,u ^ ei+i. Thus 
from (P follows ArEU,7’‘[2] \= (si+i EU (pi+i) EU Ci+i. Since 7r[2] is a successor of 
7r[l](= w) and Si G fiw), we get Keu,w ^ Si EU((si+i EU (pi+i) EU Bi+i). 

Proof of (2). This can be shown using similar arguments as above. O 

Claim For every i < m and every w € Vi holds: Ke\j,w \= pi if and only if 
apathQ^w, T). 

Proof. The proof proceeds by induction on i. The base case for nodes in slice 
i = m IS straightforward. 


For the inductive step, we consider i < m and w G Vi. 

First, consider w G Va. By Claims we have that Ke{j,w \= (/)% if and only if 
w has a successor v G Vi+i with Ke\j,v ^ ipi+i- Since v is also a successor of w 
in G, using the inductive hypothesis, the latter is equivalent to apathQ{v,T) for 
a successor w of w in G. Since w G V 3 , this means apathQ(w,T). 

Next, consider w G Vy. By Claim HI we have that Keu,w \= (j)i if and only if 
there exists a path n G II{w) with 7 r[ 2 ], 7 r[ 4 ] G Vi+i such that iFEU,7’'[2] \= 4>i+i 
and iFEUj 7 r[ 4 ] \= (jii+i. Since 7 r[ 2 ] and 7 r[ 4 ] are all successors of w in G, using the 
inductive hypothesis, the latter is equivalent to apathQ{v,T) for all successors v 
of w in G. Since w G Vy, this means apathQ{w,T). O 

6.2 ER 


V4 U V4: 


Fa U Fa: 


F2 U Fa: 

Fi UFi: 

Fo U Fo: 

Figure 7. Kripke model -N(er,v) obtained from the ASGAP(Vout=2, 3in=l) instance 
in Figure H] 



Theorem 13. CTL-MC(ER, V) is V-complete. 

Proof. Containment in P follows from [7]. In order to show P-hardness, we 
logspace reduce from ASGAP(Vout=2, 3in=l). Let (G, s,T) be an instance of 
ASGAP(Vout=2,3in=l), where G = (F, A) and V = Fa U Vy consists of slices 
Vo,Vi,... ,Vm with s G F) and T C Fm- Let be the graph ob¬ 

tained from G as described in Section 12.21 In order to obtain the Kripke model 
-ff(ER,v) = it remains to define the assignment f of atoms to sets of 

nodes of G^. 

1. t is assigned to every node in T. 

2. So is assigned to every node in Vq. 































3. Si and Si-i are assigned to every node in Vi ioi i > 0. 

4. ti-i is assigned to every node v &V-^r\Vi (i > 0) that is the second successor 
V = Vu ,2 of a node tt S Vy fl Vi-i. 

5. Si-i is assigned to every v €Vi {i > 0) such that v = Vu,i is the copy of the 
first successor of a node u € Vy n Vi-i. 

Nothing is assigned to nodes Vu ,2 and to nodes in V\/. Notice that all infinite 
paths in G\, must eventually loop in a state Vu,2 that satisfies no atom at all. See 
Figure 0 for an example. 

The formulas (j>i are defined inductively as follows, for i = 1,...,0. 

{ t, ii i = m, 

4>i+i ERsi, if i < m and even (slice with 3-nodes), 

U ER((())i+i ERsi) V Si), if i < m and odd (slice with V-nodes). 

The following claim states that apathQ{x,T) corresponds to the satisfaction 
of formulas in the corresponding nodes in the constructed Kripke model. 

Claim 14- For every I < m and every v G Vi holds: apathQ{v,T) if and only if 
K{er^v),v \= (t>i. 

Proof. The proof proceeds by induction on 1. The base case for slice I = m is 
straightforward. For the inductive step, consider I < m. First consider even I 
(slice of 3-nodes), take a node u € V; n Vg, and assume 

K(^ERy),v \= (fi, i.e. X(ER,v),u hERsi. (2) 

Remind that 4>i+i = ti+i ER ((());+2 ERsj+i) V Si+i). Since Si+i,Si+i ^ ^(u), it 
follows that Rf(ER.v),i' 4'i+i- Since si G ^(v), it follows that ([2]) is equivalent 
to 


there exists a successor z of v with Rr(ER,v), ^ t= f>i+i ERs;. (3) 

The successor v G Vi of v does not satisfy s;. Thus m is equivalent to 

there exists a successor z € Vi+i of v with ^(er^v), z |= (j)i+i ER s;- (4) 

All successors z G V)+i of v satisfy si and do not have a successor that satisfies 
si- Thus dH) is equivalent to 

there exists a successor z G Vi+i of v with A1(er,v), \= 4>i+i- (5) 

By the inductive hypothesis and the construction of the Kripke model, this 
means that v has a successor z in G with apathQ{z,T). Since u G Fa, this is 
equivalent to apathQ(v,T). 

Now consider odd I (slice of V-nodes), take a node u gViC Vy, and assume 
^(er.v),m h i.e. A:(er,v),u 1= t; ER((( 5 ()i+i ERsi) Vsi). (6) 


There is no infinite path in 11 (u) that satisfies si or si in every node. Thus, 
® can only be witnessed by an infinite path that passes through a node that 
satisfies t/. Every such path in 77(u) has the finite prefix u,Vu,i,Vu,i,Vu, 2 - Thus 
® is equivalent to 

every node in the path u, Vu,i,Vu,i,Vu ,2 satisfies (</>i+i ER si) V Si. (7) 
For Vu,i this holds, since Si € 

^(ER,v),u h Si: but K(er,v),u ^ because ^ Si+i- Thus 

^(ER,v),u 1= ((/>i+iERsi) V St if and only if K(ER,v),Vn,i |= ipi+iERsi and 
K(er,v),Vu ,2 \= (/ii+iERsi. Since K(^er, v)^i’u,i h s; and no successor Vu,i of 
Vu,i satisfies si, it follows that 7f(ER,v):'i'u.i H 4>i+i ERs; is equivalent to hav¬ 
ing 7 ^(er,v)) 1= (for i = 1:2). This yields that ([7]) is equivalent to 

K(ERy),Vu,i \= (l>i+i and K(^ERy),Vu ,2 h <^i+i- ( 8 ) 

By the inductive hypothesis and the construction of the Kripke model, this means 
that apathQ{v, T) holds for all successors u of u in G. The latter is equivalent to 
apathQ{u,T). O 

With Claim im we get that (G, s, T) € ASGAP(Vout=2, 3in=l) if and only if 
-ff(ER.v): s 1= 4'o- The CTL-MC(ER, V) instance {K^er,v):S, (jio) can be computed 
in space logarithmic in the size of G. Thus ASGAP(Vout=2, 3in=l) logspace 
reduces to GTL-MG(ER, V). □ 


Theorem 15. GTL-MC(ER,-i) is R-complete. 

Proof. Containment in P follows from [7]. In order to show P-hardness, we give 
a reduction from ASGAP. Let {G,s,T) be an instance of ASGAP, where G = 
{V, E) for E = V 3 U Vv with slices Vq,Vi, ... ,Vm. Let G** = (V^E'^) be the graph 
obtained from G as described in Section [2^ In order to define the Kripke model 
K(^er,^) = -S’**: ^): we must give a definition of the assignment function 

— < is assigned to all nodes in T. 

— Si and Si-i are assigned to all nodes in Vi for f = 0,1 ,..., m. 

The formulas (fi are defined inductively for f = m,m—l,...,0as follows. 

{ t, if i = TO, 

4>i+i ER Si, if i < TO is even (slice of 3-nodes), 

-'(-'(/fi+i ERsi), if i < TO is odd (slice of V-nodes). 

Notice that in the new node e, no atom is satisfied, and therefore no (ja is 
satified. 

Claim 16. For all i < to and all v G Vi holds: Ki^er,^)^^ \= 4>i if and only if 
apatliQ^v, T). 


The induction base i = m is straightforward. For the induction step we 
consider i <m and v GVi. We first consider even i. Since ^^(er.-.); 'i' and 

on all paths tt G n{v), Si is satisfied only in 7r[l] = v and 7r[2], it follows that 
K{er^^),v \= 4)i+i ERsi is equivalent to ^^(er,-.); li' |= 'Pi+i for some successor w 
of V. By the inductive hypothesis we obtain this to be equivalent to apathQ(y, T). 
Next we consider odd i. Assume v ^ ER Si), i.e. v ^ 

ERSi- Since |= and for all tt € n{v) holds that st is 

satisfied only in 7r[l] = v and 7r[2], it follows that Ar(ER,-,),u ^ -^4>i+i ERs^ is 
equivalent to Ar(ER,^), rc ^ for all successors w of v. The latter means that 

Ar(ER _,),w \= (j)i+i for all successors w of v. Using the inductive hypothesis, we 
obtain apat/iQ(u, T). O 

The mapping from ASGAP-instances (G, s, T) to CTL-MC(ER, -i)-instances 
(-fS^(ER,^), S, (po) can be computed in logarithmic space. With Claim [T51 this yields 
that ASGAP logspace reduces to CTL-MC(ER,-i). 


Us: 


U 4 c Fg; 


U 3 C Fv: 


F2 C Fg: 


Fi C Fv: 


Uo C Fg: 



Figures. Kripke model Aer obtained from the ASGAP instance in Figure [4] 


Theorem 17. CTL-MC(ER) is LOGCFL-hard. 



























Proof. We <j5^®-reduce from the LOGCFL-complete ASGAP(Vout=2, 3in=l)jQg. 
Let (G, s, T) be an instance of ASGAP(Vout=2,3in=l)jQg, where G = {V, E) with 
V = V 3 U Vv and slices Vq,. . . ,Vm for m < log \V\. Let = (V^,E^) be the 
graph obtained from G as described in Section [521 In order to define the Kripke 
model ATer = (see Figure [5] for an example), we need to specify the 

assignment function f. 

1. t is assigned to all nodes in T. 

2 . Si is assigned to every node in Va D 1 ^. 

3. Si-i, s\, and s\ are assigned to every node in Vy H 1^. 

4. For u £ V^nVi, the two successors vi and Vr of u have u as only predecessor. 

Then s( is assigned to vi and s^ is assigned to Vr- 

Notice that V 3 n Vi is partitioned into two sets: one to which s( is assigned 
and the other to which s^ is assigned. 

The formulas (ft are defined inductively for i = TO,m — l,...,0as follows. 

{ t, if i = m, 

(jii+i ER Si, if i < TO is even (slice of 3-nodes), 

{4>i+i ERsC) ER((/)i_|_i ERs(), if i < TO is odd (slice of V-nodes). 

Claim 18. For every i <m and every v £ Vi holds: Ker,v |= 4>i if and only if 
apathQ^v, T). 

The proof of the claim can be found in the Appendix. With Glaim [15] we 
get that (G, s,r) e ASGAP(Vout=2,3in=l)iog if and only if (ATer, s, <?^o) G 
GTL-MC(ER). Since the transformation can be computed in logarithmic space, 
it follows that ASGAP(Vout=2,3in=l)iQg logspace reduces to GTL-MC(ER). 

Theorem 19. GTL-MG(ER) is LOGCFL-compZete. 

Proof. From Theorem [T7] we have LOGGFL-hardness, hence only membership 
must be shown. 

A right form of an {ER}-formula ip is a sequence (ai,..., Om,/?) of {ER}- 
formulas such that ip = ai ER(q !2 ER(a 3 ER (• ■ • (Om ER/3)) ■ • •))). For example, 

ip = {aERb) ER((cER d) ER(eER/)) 

has, amongst others, the forms 

- (aER 6 ,(cERd)ER(eER/)) 

- (aER 6 ,cERd,eER/) 

— (a ER 6 , c ERd, e, /). 

The third right form with pi = f is called atomic right form., because / is an 
atom. 

Claim 20. Let tt be a path through a Kripke model K. The following statements 
are equivalent. 


1. Vi > 1 : -fC, 7r[i] \= P 

2. Vi > 1 : iV,7r[i] ^ (ai,..., a^,/3) 

The proof of the Claim proceeds by induction on m. The base case m = 0 is 
clear, because /3 = (/3). For the inductive step m > 0, the following holds. 

Vi > 1 : iV, 7r[i] ^ {oi, 02 , • ■ •, am, P) 

Vi > 1 : iV, 7r[i] ^ { 02 , • ■ •, a^, /?) (semantics of ER) 

^\/i>l:K,'K[i\\=p (by the inductive hypothesis) 

O 

Claim 21. Let tt be a path through a Kripke model K, and let k be an integer. 
The following statements are equivalent. 

1. \/i <k : K,Tr[i] ^ (oi,... ,a^,/3) 

2. K, Tr[k] ^ (ai,..., am, P) and Mi <k K, 7r[i] \= p. 

The proof of the Claim proceeds by induction on m. The base case m = 0 is 
clear, because P = (P). 

For the inductive step m > 0, we consider both proof directions separately. 

U . 

Mi <k-. K, 7r[i] ^ (oi,..., am, P) 

^Mi < k Btt' S iT(7r[i]) 

(l)Vj > 1 : K,TT'\j] ^ {a 2 ,...,am,P) or 
{2)31 > 1 : K,tt'[ 1] \= ai SzMq < I ■■ K, 7r'[g] ^ ( 02 , ■ • ■, am, P) 
(semantics of ER) 

=J>Vi < k 3 ti' G 7T(7r[i]) 

(l)Vj > 1 : K,TT'[j] \= p ov (Claim) 

{2)31 > 1 : K,tt'[ 1] \= ai h (ind. hypoth.) 

Mq <l : K, Tr'[q] \= P k K, Tr'[l] ^ ( 02 , ■ • ■, a-m, P) 

^Mi < fc : iV, 7r[i] \= P (since 7r'[l] = 7r[i]) 

11 . 

K, T:[k] \= {«!,..., am, P) and Mi < k '■ K, 7r[i] |= P 

=^Mi < k : iV, 7r[i] |= P and 3tt' G i7(7r[fc]) : 

(1) Vj >1: K, 7r'[j] ^ {a 2 , ■■■, am, P) or 

(2) 3j >l:K, ir'lj] \= ai kMq < j : K, 7r'[g] ^ {a 2 ,..., am, P) 

=>3p G n{w) (where p = 7r[l] • • • 7r[fc](= 7r'[l])7r'[2] • • •) : 

(1) Vj > 1 : K,p[j] ^ P (using the above Claim) or 

(2) 3fc' > k '■ K, p[k'] \= ai k Mi < k' '■ K, p[i] \= ( 02 , • • ■, a^, P) (ind. hyp.) 

=^Vi ^ k . Lf, 7r[i] |= (oi,..., am, P) 



o 

The atomic right form of an {ER}-formula is unique. 

Claim 22. Let (p be an {ER}-formula with atomic right form (ai,..., am, P) and 
m > I, K = {W,R,^) be a Kripke model, and w G W. Then K,w |= if and 
only if there exists a finite path tt through (IT, R) starting in w with length 
K| < |1T| + 1 such that 

1. K, 7r[i] 1= /3 for alH = 1, 2,..., |7r|, and 

2. (a) |7r| = |VL| + 1, or 

(b) — if,7r[|7r|] \= ai, and 

— K, TrflTrj] \= a 2 ER(a 3 ER(- • • ER(am ER /3) • • •)) (i.e. the formula 

with atomic right form {a 2 , • • ■, am, P))- 

K,w \= {ai ,..., am, P) is defined as 

Btt G n{w) Vi > 1 : K,Tr[i] \= {a 2 , ■ ■ ■ ,am, P) or (9) 

Btt G n{w) 3k > I : K, 7r[fc] ^ ai hVj <k K, 7r[j] \= {a 2 , ■ ■■, am, P) (10) 

By Claim [201 we get that ([0]) is equivalent to the following. 

3-k G n(w) Vi > 1 : K,Tr[i] \= P (11) 

Since P is an atom, mi) is equivalent to 

there exists a finite path tt starting in w with length |7r| = |1T| + 1 
such that K, 7r[z] |= /3 for all i = 1,2,..., |7r|. 

This covers the first half (i.e. 2.a) of the claim. 

Now consider (HOD. Using Claim (OH we get that ((TT))) is equivalent to 

zJtt G n(w) 3fc > 1 : 7r[/c] |= ai & Vj < fc : 7r[j] \= P k. 7r[fc] |= {a 2 , ■ ■ ■ ,am,P) 

(12) 

It is clear that if such a k exists, then k can be chosen to be < |IT| + 1. This 

covers the second half (i.e. 2.b) of the claim. O 

Algorithm 11.11 implements this algorithm according to Claim [OH It is easily 
seen to work in logarithmic space. The stack is used for the recursive calls. Since 
essentially every subformula causes one recursive call, the algorithm runs in 
polynomial time. Thus it is an LOGCFL algorithm. 

6.3 EG 


Theorem 23. CTL-MC(EG, ©) is complete. 


Algorithm 1.1. LOGCFL machine that decides CTL-MC(ER) 
Procedure: check 

Input: Kripke structure K = {W,R,^) , initial state wo £ W , 

formula (f) with only ER operators . 

Output: true iff K,wo\=<j)- 

let (ai,..., am, fi) be the atomic right form of (f) 
if /3 0 ^(wo) the return false 
guess £ < \W\ + 1 
i := 1 
s := Wo 

while i < £ do 

s := guessed successor of s 

if /3 0 ^(s) then return false 

i := i + 1 

if £=\W\-\-l or m = 0 then return true 

else return check(A,s,ai) & check(_K', s, { 02 , ■ • •, Om,/3)) 


14 u V4: 


14 U1/3: 


V2UV2: 


VlUVi: 


14 U 14: 



Figure 9. Kripke model obtained from the ASGAP(Vout=2, 3in=l) instance 

in Figure |4] 


































































































Proof. The upper bound P follows from [7]. For the lower bound—P-hardness— 
we give a reduction from ASGAP(Vout=2, 3in=l). Let (G, s,T) be an instance 
of ASGAP(Vout=2, 3in=l) with G = {V,E) for F = u Vy with slices F = 
Fo U ... U Vm- Let d" = {V ^be the graph obtained from G as described in 
Section [721 Using G^, we construct a Kripke model = (V^,E^,d with 

assignment f as follows (see Figure [7] for an example). 

1. Si is assigned to all nodes in . 

2. Si is assigned to all nodes F. 

3. t is assigned to all nodes in T. 

The formulas ipi {i = m,m — 1, ... ,0) are inductively defined as follows. 


t, 

EG(si © Si+2 © Si © Si+i © i^i+i), 


if * = TO 
if i < TO 


We have the following easy-to-see properties of the model Ar(EG,e) and the 
formulas (pi. 

Claim 24- 1- For all i <m, all nodes w G Vi , and all j > i holds Ar(EG,e), w F 

ipj. 

2. For alH < m and all nodes z G Vi holds Ar(EG,e), Pi- 

3. For alH < m and all u G F with iu,u) G E^ holds Ar(EG.©);'a H Pi-i- 

We sketch the proof. For[I] Ar(EG,©),'ic ^ (pj since no atoms that appear in 
(fj are assigned to node w in slice i < j. 

For|2 By the definition of f we have z G C(si) and z € £,{si), and z ^ ^(si+ 2 ) 
and z ^ ^(si+i). With case[T]we also have Ar(EG,©), 2^ F Pi+i- Thus iL(EG.©)) ^ 

Si © Si+2 © Si © Si+1 © Pi+ 1 , and consequently ^(eg.©), Pi- 

For 131 For i^i_i = EG(si_i © Si+i © F-i © Si © pi), we have that Si G f(u) 
and Si_i,Si+i,Si-i ^ ^(m)- From|7]we get A:(eg.©),m ^ Pi- Thus, Ar(EG.©),M h 
Si_i © Si+i © Si_i © Si © (pi- Since all infinite paths tt G n{u) only loop through 
u (e.g. 7r[fc] = u for all k > 1), it follows that Ar(EG,©)) u |= Pi-i- O 


Claim 25. For all i < m, all nodes w gV^, and all j <i — 2 holds: Ar(EG.©)) ^ 

Pj- 


The proof is by induction on i. 

— Base case i = m. Gonsider w GV!f^. Notice that every infinite path tt G n(w) 
eventually loops in a node G Vn with {uw,Uw) G E^. Since AT, n F EGa 
if and only if AT, v \= a and AT, v' F EG a for some successor v' of n, it 
suffices to show that Ar(EG,©): F Pj- We proceed by induction on j, where 

j = m — 2 is the base case. Since Ar(EG,©),««> F Pm-i IGlaim [M1|!?|) L it 
follows that Ar(EG.©),Mu, F Sm -2 © Sm © Sm -2 © Sm -1 © Pm-\^ and thuS 
^(EG,®))Wu) F Pra- 2 - (Generally, a formula EG a is satisfied in a node u if 
and only if m F cr and F EG a for some successor v of u.) 

For j < m — 2, we have the inductive hypothesis ATj-eg,©),M m F Pj+i- Since 
K(EG,(B)y^w F F©®f+2®F'®F+l! followS that Ar(EG.©),Mu, F F®'5 j+2® 

Sj © F +1 ® Pj +1 and thus Ar(EG,©), F Pj- 



— Inductive step i < m. Consider node w . Again we proceed by induction 

on j. 

• Base case j = i — 2 ior (pj = EG(sj © Sj+2 © Sj © s^+i © Pj+i)- Since no 

states in slices > i satisfy sj, Sj, and Sj+i, and \= Sj+2(= Si), 

it follows that K(^eg,®),w \= pj iff ^(EG.e),^ |= EG(sj+2 ® pj+i). By 
inductive hypothesis we have Ar(EG 0),u ^ ^j+i for all v G These 
nodes v do not satisfy Sj+2- Therefore ^ EG(sj+2 © ^j+i) 

only holds, if it is witnessed by a path that stays in slice . This path 
eventually loops in a node G Vi with G . By Claim 

we know H Vj+i (since j + 1 = i — \). Consider pj = 

EG(sj © Sj +2 © Sj © Sj+i © Pj+i)- We have that Sj +2 and Pj+i are 
the only “parts” of pj that are satisfied in Uw Thus Ar(EG,e);Wu, ^ 
Sj © Sj +2 © Sj © %+i © Pj+i, and therefore ^(eg,®)) ^ Pj. 

Since every path from w that stays in slice i ends in such a node Uw^ we 
get that Ar(EG.©),n; ^ Pj. 

• Inductive step j < i — 2. Consider pj = EG(sj © Sjj -2 © Sj © Sj+i © 

Pj+i)- By inductive hypothesis we know /^(eg,®),^; ^ Vj+i- Moreover, 
Sj,Sj+ 2 ,Sj,Sj+i Therefore A:(eg,®),w ^ pj. O 

Claim 26. For every i <m and every w G Vi holds: Ar(EG,®)) w \= V and only 
if apathQ{w,T). 

The proof proceeds by induction on i. The base case z = to is straightforward. 

For the inductive step i < m, consider w G Vi. 

Ar(EG,®), n; 1= EG(si ©Si +2 ©Si ©Si+i © V5i+i)(= Pi) if and only if there exists 
an infinite path tt G n{w) such that Ar(EG,®), 7'‘[j] ^ Si © Si +2 © Si © s^+i © Pi+i 
(=: ai) for all j. Notice that this is equivalent to ^^(eg,®)) |= Pi for all j. 

Assume that such a tt exists. Since \= Si and ArfEG.®))^; ^ 

Si+2j Si, Si+i, it holds that 7r[l] ^ at. For the “right neighbour” v G Vi 

of w holds Ar(EG,®),'c V’i IClaimThis means that 7r[2] G I^+i. Then 
Si+i G ^(7r[2]) and Si, Si+ 2 , Si, Si+i ^ ^(7r[2]). Therefore, Ar(EG.®), ’’’P] |= ai if and 
only if A:(EG.®),7r[2] |= pi+i. 

Since no node in layer Vij ^2 satisfies pi (Claim [25]), we conclude that 7r[3], 
7r[4],... must be in slice If (7r[3], 7r[3]) G , we are done as ^(eg,®), 7''[3] ^ 
Pi by Claim [Mtl51) . Otherwise, 7r[3] is a node in Vi+i. By Claim IMtOl) we have 
Ar(EG.®),7r[3] ^ pi+i. Since Si,Si+2,Si ^ ^(7r[3]) and Si+i G ^(7r[3]), we get 
Ar(EG.®),7r[3] ^ ai. 

Now, 7r[(7] for even q> A can be dealt like 7r[2], and 7r[r] for odd r > 5 can 
be dealt like 7r[3]. Let 7r[l], 7r[2],..., 7r[5] be the finite prefix of tt that ends in 
the node through which tt eventually loops. We have seen that Ar(EG,®)j''^ |= '•Pi 
if and only if ^(eg.®), 7r[2] ^ pi+i and Ar(EG.®),7r[4] |= pi+i. By the inductive 
hypothesis this is equivalent to apat/ze(7r[2],T) and apathQ{'K[A\,T). Since 7r[2] 
and 7r[4] are all the successors of 7r[l] = zc in G, the latter is equivalent to 
apathQ(w,T). O 

With Claimwe get that (G, s, T) G ASGAP(Vout=2, 3in=l) if and only if 
Af(EG,®)iS 1= po. The CTL-MC(EG,©) instance (^(eg,®); s, (/Sq) can be computed 






in space logarithmic in the size of G. Thus ASGAP(Vout=2, 3in=l) logspace 
reduces to CTL-MC(EG, ©). 

Lemma 27. CTL-MC(EG) is NL-hard. 

Proof. We give a logspace reduction from the NL-complete graph accessibility 
problem. Let (G, s,t) be the given GAP instance with G = iV,E). Let V' = 
{(■u,i) \ u G V,1 < i < |P|} be a set consisting of \V\ copies of every node in 
\V\, and E' be a set of edges on V similar to E, such that an edge {u,v) G E 
leads to edges from the Ah copy of u to the {i + l)st of v, plus reflexive edges 
for all |y|th copies, i.e., E' = {((m, z),(u,i + 1)) | {u,v) G E,1 < i < |y|} U 
{((u, |y|), (u, |P|)) I u G V}. The assignment ^ assigns a to all nodes {u,i) G V' 
with z < |y I or u = t. Let M = fV', E', be a Kripke model. It is clear that G 
has an s-t-path if and only if M, (s, 1) |= EG a. 

Lemma 28. GTL-MG(EG) and GTL-MG(AF) are in NL. 

Proof. First note that EG • • • EGp = EGp. 

The algorithm for GTL-MC(EG) gets input {(IF, i?, ^), wo, EG^p). If A: = 0 
(i.e. the formula to check equals p), it checks whether wq G f{p) and decides 
accordingly. If fc > 0, the algorithm must verify whether (IF, R) has an infinite 
paths starting in wq on which p is satisfied in every point. The existence of 
such a path is equivalent to the existence of two paths wq = vi,V 2 ,. ■. ,Vm and 
Vm = ui,U 2 ,... ,Uq = Vm for some m,q < |IF| such that p is satished by all 
Vi and Ui. Both paths together form an ultimately periodic infinite path that is 
searched for. The algorithm first guesses Vm and q, and then stepwise guesses 
the paths and verifies that p is satisfied always. This is clearly an NL-algorithm. 

Since K,wo \= AFp iff K,wo ^ E G-ip, the above GTL-MG(EG)-algorithm 
can be used to decide GTL-MC(AF). Since NL is closed under complement, 
GTL-MG(AF) is in NL, too. 

Lemma 29. GTL-MG(EG, A) is in NL. 

Proof. We first notice that EG(q;AEG /3) = EG(aA/3). (I) lFK,w ^ EG(aAEG j5), 
then there exists a path starting in w on which everywhere aA/3 is satisfied. (2) If 
K^w \= EG(aA/3), then there exists a path tt starting in w on which everywhere 
aA/3 is satisfied. Then K, 7r[TO] (= EG /3 (witnessed by tt™) for every m. Therefore 
K, w ^ EG(a A EG /3). 

Due to EG EG a = EG Of and the above equivalence, every {EG, A}-formula 
can be transformed to an equivalent formula of the form a A 
where a and all (de are conjunctions of atoms. The satisfaction K, s \= EG can 
be checked nondeterministally within logspace by guessing the relevant prefix 
of a looping infinite path that satisfies fSi in every node. Doing this for all EG- 
subformulas yields an NL-algorithm for GTL-MG(EG, A). 


Lemma 30. GTL-MG(EG, V) is in NL. 



Proof. Every {EG, V}-formula can be transformed into an equivalent formula of 
the form Q!V\/f=i 2 (*)’ '''^here a is a disjunction of atoms and every 

Pt, is a formula of the form (*) (for fc = 0, such a formula is a disjunction of 
atoms). 

Claim 31. Let K = be a Kripke model, a be a disjunction of atoms, 

and fit, be formulas of the form {*). Then K,s EG(a V V^=i 2 fe Pi) 
and only if 

1. there is a path ui,..., Vm through K starting in s and of length m = |IT| + 1 
such that K,Vi \= a ior i = 1,2,... ,m, or 

2. there is a path vi,... ,Vm through K starting in s and of length 1 < m < 
\W\ + 1 such that K,Vi |= a for i = 1,2,..., m — 1 and K, Vm h EG fq for 
some q. 

Proof. The implication from left to right is straightforward. Consider the other 
proof direction. If [T] happens, then R contains an edge from Vm to some prede¬ 
cessor on the path. Using this loop we get an infinite path that satisfies a on every 
of its nodes. If [2] happens, then let ui,U 2 ,... be the infinite path starting with 
Vm = ui such that K, Ui |= fq for alH > I. Then K, Ui ^ EG fq for all* > I. Con¬ 
sequently, on every node of the infinite path vi{= s),... ,Vm{= ui),U 2 , .■ ■ the for¬ 
mula aV\/^=i 2 fc EG /3^ is satisfied. Therefore K,s \= EG(aV\/^=i 2 fe EG ft). 

Using this claim, an NL-algorithm can proceed as follows. On input K, s,a\/ 
\Jt=i 2 fe eg ft, it accepts if K,s \= a. Otherwise, it guesses an i and goes to 
check iG, s 1= EG fi where fi = a'V\Jt=i 2 fc EG f'f). For this, it guesses which 
of the two cases of the Claim has to be fulfilled. Case 1 can be verified straight¬ 
forwardly. For case 2, it guesses the relevant m and q, guesses Vi and checks 
that K, Vi \= a' for i = 1,2,... ,m — I and eventually recursively checks whether 
K, Vm H EG fi for some j. Since this is a tail recursion whose depth is bounded 
by the depth of the input formula, it can be performed nondeterministically 
within logspace. 

Lemma 32. CTL-MC(EG,- 1 ) is in NL. 

Proof. The following equivalences hold for EG and its dual AF. 

1. EG EG a = EG a 

2. AF AF a = AF a 

3. EG AF EG a = AF EG a 

4. AF EG AF a = EG AF a 

Proof of [21 11 K,w 1= EG AF EG a, then clearly K,w \= AF EG a. For 
the other direction, assume K,w AF EG a. Take some tt S n{w). Then 
K, Tr[k] 1= EG a for some “smallest” k with K, 7r[i] ^ EG a for i = 1,2,... ,k — 1. 
Since K, 7r[I] ^ AF EG a, it follows that K, 7r[z] |= AF EG a for i = 1,2,..., k—1. 
Moreover, let p be a path that witnesses K,'K[k] \= EG a. Then witnesses 


K, p[j] ^ EG a for all j > 1, and from K, p[j] ^ EG a follows K, p[j] |= AF EG a. 
Concluding we have for the infinite path A = (7r[l](= n;), 7r[2],..., TT[k — l\, p[l\{= 
7r[/c]), p[2],...) that iG, A[i] |= AF EG a for all i, what means that A is a witness 
for AT, n; 1= EG AF EG a. 

The proof of S] follows from [3] by the duality of AF and EG. 

These equivalences yield that every { EG, -i}-formula with atom p is equivalent 
to EG AF p or AF EG p, or to EGp or AFp, or to p, or to one of these formulas 
where p is replaced by -<p. For a given {EG,-i}-formula it can be checked in 
logarithmic space to which of these cases the formula belongs. 

We first describe an algorithm for the EG AF p case. 

The algorithm gets input ((VF, i?, ^), wq, EG AFp). It must verify whether 
(IF, i?) has an infinite paths starting in wq on which AFp is satisfied in every 
point. The existence of such a path is equivalent to the existence of two paths 
wq = vi,V 2 , ■ ■ ■ ,Vm and Vm = ui,U 2 , ■ ■ ■ ,Uq = Vm for some m,q < \W\ such 
that AFp is satisfied by all Vi and Ui. Both paths together form an ultimately 
periodic infinite path that is searched for. The algorithm first guesses Vm and 
g, and then stepwise guesses the paths and verifies that AFp is satisfied always. 
This is done by guessing the next Vi (resp. Ui), and then starting the (slightly 
modified) NL-algorithm for CTL-MC(AF) with input {{W,R,^),Vi,M- p). If it 
reaches an accepting configuration, then the next Vi (resp. Ui) is guessed etc. 

This also yields an NL-algorithm. 

The algorithms for the other cases are constructed in the same way. Since 
NL is closed under complement, all algorithms are NL-algorithms. 


6.4 EF 

Theorem 33. CTL-MC(EF) and CTL-MC(EF, V) are NL-complete. 

Proof. It suffices to show NL-hardness of CTL-MC(EF) and containment in NL 
of CTL-MC(EF,V). 

NL-hardness of CTL-MC(EF) follows by a reduction from the directed graph 
accessability problem as follows. Let {{V,E),s,t) be an instance of the graph 
accessability problem—i.e. we want to decide whether graph (F, E) has an fi¬ 
t-path. Let E be the reflexive closure of E. Then (F, E) is a total graph, and 
it has an fi-t-path if and only if {V,E) has some. Define the assignment ^ as 
^(t) = {p} and ^{w) = 0 for w t. Then {V,E) has an s-t-path if and only if 
(y,E,^),s \= EF p. 

For CTL-MC(EF, V) S NL, note that EF(a V EF/3) = EF(a V /3) and EF a V 
EF/3 = EF(a V /3). Thus, every {EF, V}-formula can be transformed into an 
equivalent formula of the form a V EF /3, where a and /3 are disjunctions of 
atoms. This transformation can be done in logarithmic space. The NL algorithm 
on input (AT, wq , </>) verifies whether K,wo |= a or guesses a reachable v and 
verifies K,v \= fi. 


Theorem 34. CTL-MC(EF,-i) is NL-complete. 


Proof. NL-hardness follows from that of CTL-MC(EF) (Theorem 1551) . 

Every {EF, -i}-formula can be rewritten as a formula with EFs and AGs fol¬ 
lowed by a literal p or -ip. It is clear that EFEFa = EFa and AG AG a = AG a. 
Thus every such formula can be rewritten as one having a prefix of alternating 
EFs and AGs. With the equivalences of the following claim we can reduce this 
prefix to length < 3. 

Claim 35. Let AT be a Kripke model, w be a node of K, and a be a CTL-formula. 

1. K^w \= EF EF a if and only \i K,w \= EF a. 

2. K,w \= AG AG a if and only if AT, re ^ AG a. 

3. K,w \= EF AG EF AG a if and only \i K,w \= EF AG a. 

(HD and (ED are straightforward. For (HD, notice that K^w \= a implies K^w \= 
EF a. For (ED, we consider both proof directions separately. 

K,w h EFAGEFAGa 

=> dTT € n{w) > 1 V/9 € 7T(7r[fc]) 

Vj > 1 : K, p[j] ^ EF AG a (semantics ...) 

=> d-TT € n{w) > 1 Vp S 7T(7r[fc]) : K, p[l] ^ EF AG a (take j = 1) 

=> 37r € n{w) 3fc > 1 : AT, 7r[fc] |= EF AG a (p[l] = ^[^]) 

=> AT, w ^ EF EF AG a (semantics of EF) 

K,w \= EFAGa (part (HD) 

For the other direction, we use ED and the fact that K,'w \= implies 
K,w \= Ef /3. 

AT, w 1= EF AG a 
=> AT, w (= EF AG AG a 

AT,w h EFAGEFAGa O 

By Claim EH follows that every formula in the {EF, -i}-fragment has an equi¬ 
valent formula in the (EF, AG {-fragment with atomic negation, whith a prefix 
of at most three temporal operators. Since CTL-MC(EF) and CTL-MC(AG) are 
in NL (follows from Theorem EH and the closure of NL under complement), 
similar as in the proof of Lemma EH an NL-algorithm can be composed that 
combines the CTL-MC(EF) and CTL-MC(AG) algorithms in order to evaluate 
the bounded number of alternations of temporal operators. 

Theorem 36. CTL-MC(EF,0) is -hard. 

Proof. We give a reduction from the AC^-complete problem ASGAPjog. Let 
(G, s,T) be an instance of ASGAPiog, where V = Vy U Vi consists of slices 
V = Vo U Vi U ... U 14 . W.l.o.g. we assume that V) C Vy. 

Next we describe the construction of a Kripke model ATef.q that bases on G. 
In order to ease the readability of the proof, we prefer to use the indices of the 
slices in reverse order. Let FVq = Vi (the slice with nodes without successors), 
W( = 14 - 1 , IF 2 = 14 - 2 , • ■ •, IL^ = Vq. By the above convention, Wg consists of 
V-nodes. Thus Vy = IJ- II 4 ' and 14 = IJ- W[. Fventually, we add 2{l 3-1) 


new nodes and define Wi = W- U {a^, 6^} for i = 0,1,..., We will call each Wi 


as layer i, and W = |J Wi is the set of nodes of 

i=0 

Next we consider the edges. We take all edges from E, and add loops {u, u) 
for all u G Wq. The new at nodes form a path {{ai,ai-i) | — 1,..., 1}, 

and the new bi nodes form a path Et = {{bi, bi-i) \ i = — 1,.Moreover, 

for odd i every node u G Wi has an edge (m, at-i) to ai_i, and for even i > 2 
every node u &Wi has an edge (u, &i_i) to bi-i. Let E' denote this set of edges. 

We complete the description of with the assignment It marks each 

layer Wi with an individual atom Zi. Moreover, the nodes in T and &o are marked 
with t. 


{zo,t}, if w G Wo n (T U {6o}) 

{zi}, if w G Wi n T U {6o} 


The Kripke model It'EF,© constructed from G is defined as I^ef,® = (W 
Figure (TU] shows an example for the construction. (This example does not have 
logarithmic depth, but gives a good insight into the construction.) 


Wo: 

Wi: 

Wo: 

Wg: 

W4: 



Figure 10. Kripke model IGef,® constructed from an alternating graph. 


For i = 0,1, 2, ...,£, we inductively define formulas ipi as follows. Here we use 
AG a as abbreviation for s 0 EF(s © a) for a new atom s that is satisfied in every 
node of the Kripke model. Under this condition, s©EF(s©a) = -1 EF -la = AG a. 

t, if i = 0 


Ef( 0 z 


if i > 0 and odd (layer i 

: 3-nodes) 

^ zea(i') 




Ag( © z 


if i > 0 and even (layer ; 

V. V-nodes) 

Wea(i) 

j=0 ^ 




where each a{i) is a subset of {zq, zi,..., Zi} defined as follows. Let denote 
the number of elements of the set A. 





— for odd i and j <i — 1 •. 

Zj € a{i) iff 

#{m € {0,1, 2,... ,j — 1} I m odd} + #{to G {j + 2,..., i — 1} | m even} 
is odd 

— for odd i and j G {i — l,i} : 

Zj € a(i) iff #{to G {0,1, 2,..., i — 2} | m odd} is odd 

— for even i and j < i — 1 : 

Zj G a{i) iff 

#{m G {0,1, 2,..., j — 1} I m odd} + #{m G {j + 2,..., i — 1} | m even} 
is even 

— for even i and j G {i — 1, i} : 

Zj G a(i) iff #{to G {0,1, 2,..., i — 2} | m odd} is odd 

As examples, we write down cpo, ipi, ip 2 , and ips. 

— ipo=t. 

— For (pi'. Zo, zi ^ a(l) since #{m G 0 | m odd} = 0 is even. 

Thus, ipi = EFt. 

— For (p 2 - zo G a{2) since #{m G 0 | m odd} + #{to G 0 | m even} = 0 is even. 
zi,Z 2 ^ q;( 2) since #{to G {0} | m odd} = 0 is even. 

Thus ip 2 = AG(zo © f © EF t). 

— For ips: zq G a(3) since #{m G 0 | to odd} + #{to G {2} | to even} = 1 is 

odd. zi G a(3) since #{to G {3} | to odd} + #{to G 0 | to even} = 1 is odd. 

Z 2 , Z 3 G a(3) since #{to G {0,1} | to odd} = 1 is odd. 

Thus (fs = EF(2:o © © ^2 © -23 © i © EFt © AG( 2 ;o © t © EF t)). 

The following claim contains the crucial properties of Kripke model 
and the formulas (pi. 

Claim 37. For every j = 0,1,..., £ and every node Wj G Wj the following holds. 

(A) KEF,^,Wj \= pj if and only if KEF,e,Wj ^ pj+i. 

(B) For all i > J + 2 holds Aef,©, Wj \= pi if and only if i is even. 

(C) KEE,®,bj ^ Pj and KEE,®,aj ^ pj. 

(D) For Wj GV n Wj: KEF,^,Wj ^ Pj if and only if apathQ{wj,T). 

Proof. Throughout the proof, we will use the following straightforward connec¬ 
tion between sums of Zi and their satisfaction in different layers. By the construc¬ 
tion of the Kripke model ATef,©, each Zj is satisfied exactly in nodes of layer Wj. 
Therefore for all i > j and 

for every Wj G Wj holds: Zj G a(i) if and only if ArEF,©,^^ 1= 0 2. (13) 

zea(i) 


The proof of the Claim proceeds by induction on j. 

The induction base is j = 0. For case (A), we have to consider po = t and 
Pi = EFt. In layer IFo, all nodes only have itself as successor, and therefore t is 
satisfied in a node of layer Wq if and only if EF t is satisfied by this node. 



For case (C), clearly KEf^^,bo \= t and iFEF,e,ao ^ t. 

For case (D), iFEF,e,wo ^ t if and only if Kee,q,wq S T if and only if 

apathQ{wo, T). 

For case (B), we proceed by induction on i. First, notice that for every wq 
in layer 0, /fEF,©,wo |= EF(^) iff iFEF.©,wo h V') and iFEF.©,wo h AG(V') iff 
-ffEF.©, Wo 1= i). 

The base case is i = 2. Every node in layer Wq satisfies, ip 2 = AG( 2 ;o©t©EF<). 
For the inductive step, consider a node wq & Wq. Notice that Kef,©, wq ^ 

(part (A)). By the inductive hypothesis, all formulas (pq for even q with 2 < q < i 
are satisfied in wq , and all formulas pr for odd r with 2 < r < i are not satisfied 
in Wq. By the semantics of © we can conclude 

i-l 

Kef,®,wo 1= 0 (fii if and only if #{m G {2, 3,..., i — 1} | m even} is odd. 
1=0 

(14) 

We have to consider the cases for odd resp. even i separately, and we start 
with i > 2 being odd. By the definition of a{i) we have 

zq G a{i) if and only if #{m G {2, 3, ...,* — 1} \ m even} is odd. (15) 

From da and da being equivalences with the same right-hand side, and ap¬ 
plying da for Wq in layer j = 0, we get 


Kee,®,Wo \= ^ z 

2-1 

if and only if ATef.©, wq |= 0 ‘Fg 

z£a{i) 

i=0 

and therefore 

2-1 

2 — 1 

ArEF,©,Wo ^ ^ Z © ^<Pl, 

yielding ATef,® , wq EF 0 2: © 0^^;) 

zGcx{i) l—O 


For even i > 2, we have 



Zq G a{i) if and only if #{to G {2, 3,..., i — 1} | to even} is even. (16) 
From (1141) and (1161) . and applying da for Wq in layer j = 0, we get 


A'ef,©,wo h if and only if ArEF,©,wo ^ 0 

zEia(i) 


1=0 


Therefore, 


2-1 


2-1 


ArEF,©,wo h 0 ^ ® 0‘/^G yielding A:ef.©,wo h AG ^ z © 


z£a{i) 


Z=0 


z€a{i} 


1^0 



This concludes the proofs of the base cases. 

For the induction step, consider j > 0. We start with some essential obser¬ 
vations for nodes Wj S Wj. For even i > j, the formula (fi has the form AG(.. 
and by the semantics of AG, we have that iGEp,©, Wj \= (pi holds if and only if 


i-l 

ArEF,©,Wj 1= 0 ^ ® 0 Pi, and (17) 

z^Oi{i) l—O 

for all successors v of wj holds ArEF.©,^^ |= Pi- (18) 

Since every successor v of Wj is in layer j — 1, and i> (j — 1) -I- 2, from part (B) 
of the induction hypothesis follows that ArEF,©,^^ |= Pi for all v in layer j — 1- 
Therefore, \= pi is equivalent to (flTl) . Similarly, for odd i > j holds 

KEF_i^,Wj \= Pi if and only if 


i-l 

.?^EF,©,Wj h 0 ^ ® 0 Pi, or 

zG(y(i) l—O 

for some successor v of Wj holds ArEF,©,u |= Pi- 

Since every successor v of Wj is in layer j — 1, and i > (j — 1) -I- 2, from part (B) 
of the induction hypothesis follows that ATef,©,'!' ^ Pi- Therefore we obtain the 
first observation 

i-l 

for i> j ■- ATef,©, Wj h Pi if and only if ATef,©, Wj \= 0 2 ® 07’i- (19) 

z^a(i) l—O 

By the inductive hypothesis (C) we know that ATef,©, br ^ Pr for all r < j. 
For all odd r < j it holds that br is reachable from Wj. Since for odd r, the 
formula pr has the form EF(...), it follows that ArEF,©,Wj |= pr for all odd 
r < j. The inductive hypothesis (C) also yields that ArEF,©,«q Pq for all even 
q < j- Since all such Uq are reachable from wj, and for even q the formula pq 
has the form AG(...), it follows that A^ef,©, Wj ^ pq for all even q < j. Both 
together yield for every t < j, 

t 

ATef,©, Wj \= Pi if and only if #{m g {0,1, 2,..., t} | m odd} is odd. 

(20) 

Now back to the inductive step. We start with the inductive step for part 
(A). Let Wj g Wj for j > 0. By (IT^ we get 


3 

l^EF,©,Wj 1= pj +1 if and only if ArEF.©,Wj |= 0 ^ ® 0‘f’i- (21) 

2Ga(j+l) 1=0 


Because Zj S a{j + 1) if and only if #{m G {0,1, 2,..., j — 1} | m odd} is odd, 
it follows with m and (EHl) that 


Kef,®, Wj h 0 z if and only if KEF,®,Wj \= 0 VI 
and therefore 

KEF,®,Wj ^ 0 z © 0V3,. 

zect(j+i) /=o 

Adding ipj we get 

3 

Kef,®,Wj 1= 0 ^ ® 0 ipi if and only if KEF,®,Wj \= Vj- (22) 

z&oi(j+l) 1=0^ 

j —1 

= ( 0 

1=0 

m and l\n\i yields KEF,®,Wj \= (pj if and only if KEF^^,Wj |= Vj+i- 
This also proves 


for all j: Kef,®, Wj y= ipj © Pj+i- (23) 

We continue with the induction step for case (B) for j > 0, and proceed 
by induction on i. The base case is i = j + 2. By dm) we have 





’Wjh 0 2 

J + l 

© 

LL 

LU 

Wj h V3+2 

if and only if ATef,®: 

© 

0 




zea(j+2) 

1=0 

With (H 

151) we get 






t+i 


i-i 

ArEF,®,'^' 

'3 h 0 

2 ® Vi iff Kff, 

^ 0 

z © 0. 


zea(j+2) 

1=0 

zea{j+2) 

1=0 


We consider the cases for even resp. odd j + 2 separately. First, we consider odd 
j + 2. Since #{to G {j + 2,..., (j+2) —1} | m even} = 0, we get that Zj G a(j + 2) 
iff #{m G {0,1, 2,..., j — 1} I m odd} is odd. With (12(111 we get 

KFF,®,Wj 1= 0 z if and only if Wj |= 0 VI 

z^Ck.{j-\-2) l—O 

and thus 

KEF,®,Wj 0 ^ ® 0 Vi- (26) 

z^cx.{j-\-2) /—0 


From (123), and (1^ we get Wj ^ ^j +2 for odd j. 

For even j + 2, we proceed similarly. Since #{m € {j + 2,..., (j + 2) — 1} | 
m even} = 0, we get that zj S a{j + 2) iff #{m G {0,1, 2,..., j — 1} | m odd} is 
even. With (123 we get 

KEF,®,Wj \= 0 z if and only if ^ 0 ‘pi 

zGa{j-\-2) l—O 


and thus 

Kef^^,Wj \= 0 ^ ® 0 ^?;- ( 27 ) 

zGot{j-\-2) l—O 

From (I24L (03 - (123 we get Kef,®, Wj \= Pj +2 for even j. 

Now for the inductive step i > j + 2. From ([T3 we have 

2-1 

Kef,®,Wj ^ (fi if and only if KEF,®,Wj }= 0 ^ ® 0 Pi. (28) 

zG(x{i) l—O 

By the inductive hypothesis, we know for r < i holds 

T^EF.e, Wj ^ pr for odd r > j + 2 and KEF,®,Wj ^ pq for even q > j + 2. 


This means 

i-l 

KEF,®,Wj 1= 0 Pi if and only if #{m G {j + 2,... ,i — 1} \ m even} is odd. 

l=j+2 

(29) 

With (1^ we get 

j-l i-l 

KeF,®,Wj ^ 0 Pi ® 0 Pi iff 
1=0 l=j+2 

#{m G {0,1,..., j — 1} I m odd} + #{m G {j + 2,..., f — 1} \m even} is odd. 
And with ((23ll wj ^ pj © Pj+i we eventually get 

i-l 

Kef,®,Wj H0 Pi iff #{to G {0,1,... ,j - 1} I m odd} 
i=0 

+ #{m G {j + 2,..., f — 1} \ m even} is odd. (30) 

For odd i, we have Zj G a{i) iff #{to G {0,1,..., j — 1} | m odd} + #{to G 
{j + 2,... ,i — 1} \ m even} is odd. With (IHHll follows 


i-l 

KEF,®,Wj ^ 0 ^ ® 0 Pi (for odd i). 

zGa(i) l—O 


With (1^ follows i^EF,®, Wj ^ for odd i > j + 2. 

For even i, we have Zj € a(i) iff #{m € {0,1, 2,..., j — 1} | m odd} + #{m G 
{j + 2,..., i — 1} I m even} is even. With (1^ follows 

i-l 

0 ^ ® 0 (fii (for even i). 

zGo:(i) l—O 

With (PSI) follows Kef,® , Wj \= ‘Pi for even i > j + 2. This concludes the proof of 
the inductive step for (B). 

Now we consider the inductive step for part (C). We start with even 
i > 0 and the state bi. By the semantics of AG we get 

i-l 

Kef,®,!^^ Pi iff Kef,®5^z ^ 0 ^ ® 0 Pi and KEF,®,6i-i 1= (31) 

z^cx{i) l—O 

Part (A) of the general inductive hypothesis yields that Kef,®,^^-! |= Pi 
is equivalent to KEF,®,f>i-i |= Pi-i, and the latter holds due to the inductive 
hypothesis. Thus from (ISTl) remains 


i-l 

Kef,®, bi h Pi if and only if Kef,®, |= 0 ^ ® 0 Pi. (32) 

z^a{i) l—O 

We now consider the right-hand side of ((32ll . With (EHl) we get 
2-1 

-^EF,0; H 0 Pi if and only if #{to G {0,1, 2,..., i — 1} | m odd} is odd. 
1=0 

(33) 

We have Zi G a{i) iff #{m G {0,1, 2,..., f — 2} | m odd} is odd. Since z — 1 is 
odd, we get G a{i) iff #{m G {0,1, 2,..., z — 2, z — 1} | m odd} is even. With 
lIHHI) we get 


i-l i-l 

KEF,®,bi h 0 2 iff Kef,®, bi ^ 0 Pi, hence Kef,®,6z|= 0 ^ ® 0 Pi- 

zG(x{i) l—O z^a.{i) l—O 

(34) 


From (IMl) and (15^ follows Kef,®, bi \= pi (for even z). 

For even z and state a^, we have Kef,®, oz H Pi if ^rid only if 

z-i 

KEF,®,az h 0 ^ ® 0 Pi , and 

z£ct{i) l—O 

KEF,®,bi-i \= Pi, and 
ATef,®, fli-i \= Pi- 


( 35 ) 


Since (1551) is equivalent to |= (part (A) of the general in- 

dnctive hypothesis), and ArEF.©,ai_i ^ (inductive hypothesis), it follows 

that ATef,®, ai ^ 

Now consider odd i > 0 and state bi. By semantics of EF we get ATef,® , |= 

if and only if 

ArEF,®,&i h 0 ^ ® 0 'fu or 

z^(y.{i) l—Q 

KEf,(s,bi-i\='fi, or (36) 

A"EF,®)^i—1 

Part H36p follows from part (A) of the general inductive hypothesis and the 
inductive hypothesis ArEF,®,&i-i H ^i-i- Thus ArEF,®,&i H ‘Pi proven. 

For odd i > 0 and state Oi, we have ATef,®, |= ipi if and only if 

z-l 

ArEF.®,ai h 0 ^ ® 0 Ph and 

zGci{i) l—O 

ATef,®,O i-i |= Pi- 

From the inductive hypothesis ArEF,®,ai-i ^ Pi-i and from part (A) of the 
general inductive hypothesis follows ArEF,®,ai-i ^ Pi- Thus 

z-l 

A'ef,®, ai 1= Pi if and only if ArEF,®,ai |= 0 ^ ® 0^5; (37) 

z^ck{i) 0 

With (1^ we have 

z-l 

ATef,®, a-i |= Pi if and only if #{to € {0,1, 2,..., j — 1} | m odd} is odd. 
1=0 

(38) 

But Zi G a{i) iff #{to G {0,1, 2,..., i — 2} | m odd} is odd. Since i — 1 is even, 
we have Zi G a{i) iff #{m G {0,1, 2,..., i — 2, i — 1} | m odd} is odd. Thus 

i-l i-l 

ArEF,®,ai h 0 2 iff Oi 1= 0</5;, what yields ATef,®, a* ^ 0 z ® ^pi. 

z^cx.{i) /=0 z^ot{i) ^=0 

(39) 

From (1391) and (1^ follows ArEF,®,ai ^ Pi- 

For the inductive step of part (D), let Wi G IFi H 1^ be a node in layer 
i > 0. We start with even i > 0 and formula pi of the form AG(...). By the 
semantics of AG we have ATef,®, vji \= pi if and only if 

i-l 

ArEF.®,Wi h 0 ^ ® 0 Ph and (40) 

z^a.(i) l—O 

for all successors v of Wi holds ArEF.®,^^ \= Pi- 


(41) 


Since all successors v of Wi are in layer i —1, with the general inductive hypothesis 
(A) we get that (HTll is equivalent to 

for all successors v of Wi holds Kef,®,v \= tpi-i- (42) 

Since for the successor &i_i of Wi, the general inductive hypothesis part (C) 
yields ATEp.e; \= ‘Pi-i, we get that (|^ is equivalent to 

for all successors v €V r\ Wi-i of Wi holds \= (43) 

Since Zi G a{i) iff #{m G {0,1, 2,..., i — 2} | m odd} is odd, and i — 1 is odd, 
we get Zi G a{i) iff #{to G {0,1, 2,..., j — 2, f — 1} | m odd} is even. With (1211 
follows 

1-1 

ArEF,e,Wi 1= 0 ^ ® 0 Vi- 

z^Oi{i) ^=0 

Thus (liOl) holds, and with the equivalence of (HTl) and (H51) we get 

KFF,®,Wi \= <Pi iff for all successors v € V H Wi-i of Wi \= ipi-i- 

By the inductive hypothesis and the construction of ATef,® from G we get 

KEF,<s,Wi \= ipi iff for all successors v & V Wi-i of Wi in G apathQ(v,T). 

Since i is even, Wi is an V-node. This yields what we look for, namely 

Kef.®, Wi \= if and only if apathQ(wi,T) (for even i). 

Next we consider odd i > 0. Then ipi has the form EF(...). From the semantics 
of EF we get that ATef,® > Wi |= ipi if and only if 


KEF,®,W^ h 0 ^ 


(44) 

z^cx{i) 

1=0 


for some successor v 

of Wi holds Kef,®,v ^ Pi. 

(45) 


Since Zi G a{i) iff #{to G {0,1, 2, — 2} | m odd} is odd, and * — 1 is 

even, we get Zi G a{i) iff #{m G {0,1, 2, — 2, f — 1} \m odd} is odd. With 

(1^ follows 

i-2 

ArEF,®,-w, ^ 0 Z ©0</5i. (46) 

z^OL{i) 0 

what shows that (HTl) does not hold. Thus from (HTll and ((THll we get 

ArEF,®,uii 1= ‘Pi iff for some successor v of Wi holds Kef,®,v ^ Pi-i- 


For successor at-i of Wi holds ifEF,©,ai-i Vi (general inductive hypothesis 
(C), (A)). Therefore 


ATef.©) Wi 1= {pi iff for some successor v gV D Wi-i of Wi K£f^^,v \= (fii-i- 
By the inductive hypothesis and the construction of ATef,© from G we get 
ATef,©, Wi 1= (pi iff for some successor v € V fl Wi_i of Wi in G apathQ{v,T). 
Since i is odd, Wi is an 3-node. This concludes the proof of the Claim with 
ArEF,©,Wi ^ (pi if and only if apathQ(wi,T) (for odd i). 


O 

We now have that (G, s,r) € ASGAPiog if and only if (ATef.©, s, G 
CTL-MC(EF, ©). In order to estimate the size \ipi\ of formula pn, let \pi\ be 
the number of appearances of atoms in p. Then \pq\ = 1, and \pi+i !<(* + !) + 
\Vj\- This yields \pi+i\ < 2 • \pi\ + 1. Since the depth f of G is logarithmic 
in the size of G, we get that pi has size polynomial in the size of G. Thus the 
reduction function described above can be computed in logarithmic space. Since 
ASGAPiog is AC^-complete, it follows that CTL-MC(EF, ©) is AC^-hard under 
logspace reducibility. 



